Web of Frauds

Post demonetisation, while the use of online payment platforms has gone up, so has the fraudulent use of payment networks, and data theft. The drive towards a cashless economy has compelled people to switch either to digital banking or electronic transactions. The sharpest rise has been in the use of mobile wallets. "E-commerce and m-wallet trends are so new that associated unknown risks are inevitable, more so, because the Internet is now an outstanding fraud battleground," says Amit Nath, Head of Asia Pacific - Corporate Business at F-Secure Corporation, an online security firm.

A study by ASSOCHAM-Mahindra SSG reveals that there has been a six-fold increase in such cases over the past three years. Credit and debit card fraud cases top the cybercrime charts - about 42 per cent complaints of online banking. The study further noted that mobile frauds are an area of concern for companies as 35-40 per cent of financial transactions are done via mobile devices. How safe are digital transactions really?

Types of online frauds and thefts

Identity theft: Fraudsters illegally obtain the person's banking details and get access to his or her account. "Unless one understands and owns the game of identity, companies will continue facing growth constraints because of frauds and attacks, resulting in lack of confidence," says, Nath. As people become more comfortable with mobile wallets and banking through apps and smartphones, Wi-Fi networks continue to have major security flaws that can make it very dangerous to conduct transactions using mobile devices, he adds.

SIM swap: A fraudster gains details about a person's credentials, purchases a duplicate SIM with fake ID proofs, and blocks the person's current SIM. Financial transactions are then carried out in the name of the owner as one-time passwords, or OTPs, are received in the new SIM.

Social engineering: Used by cyber criminals to extract confidential information from the victim. For instance, they could pose as a representative of your mobile wallet company and ask you to disclose your credentials under the pretext of updating their systems and records.

Phishing attacks: The user is entrapped using fake emails or websites, and is made to part with account-related sensitive information.

Vulnerable payment technology: Cyber criminals search for vulnerability within a payment technology and use it to their advantage. Some of these security breaches are relatively hard to detect, and can only be identified using advanced security systems.

Ransomware: In this, the hacker gains remote access to the device as well as the data of the victim, and can block access to the device until he or she is paid.

Brute force: Hackers crack the password by using all permutations and combinations. Those with weak or common passwords are at risk. Use of public Wi-Fi networks is an additional risk.

Malware: These are specifically designed mobile applications and programmes that give cyber criminals access to the sensitive data on the device. This malicious software can make way into one's mobile device via an email attachment or when downloading an unauthorised app. Sometimes, even fraud apps from Google Play Store get installed on a device and transmit confidential data to the attacker. "Though banks have secured their connection from the browser to the bank, as well as the online banking servers, it is still one of the weakest links in any online banking session," says Nath.

As a precaution, it is advisable to monitor your accounts regularly, and check for any unusual activity. One should never link the payment wallets to one's debit/credit cards or bank accounts. Only one card should be used to recharge these wallets, as it limits the risk to a single card if the account is hacked. Common passwords should not be used. Also, passwords should be changed on a regular basis. It would be wise to lock your phones with strong passwords, patterns or PINs to prevent unauthorised access. Also, ensure that the card number is not visible to retailers at the time of purchase.

"Users can set up a PIN on Android apps that they will be asked before all transactions. In the iOS app, fingerprint approval is required. We are also launching a PIN with which users will be able access their account through an alternative number in case their phone is lost," says Upasana Taku, Co-founder of MobiKwik.

People should also be careful while downloading apps, and abstain from downloading them from sites that are not credible. One should not respond to request from apps which do not look trustworthy. Enable maximum security protection available on the smartphone as well as mobile wallet. Installing an anti-virus on phones is crucial, as it makes the phone less vulnerable to virus or malware attacks. "Use of good anti-virus software is the foremost step towards defending yourself against cyber criminals. Also, one should befriend people online very cautiously; it's best to not accept requests from unknown people," says Nath.

Creating separate email accounts for different purposes could prove to be helpful, as after cracking the password for the main email ID, the hacker will have the key to the user's personal data such as bank account number, passport details, and date of birth. "A separate account for your bank and other financial accounts, one for shopping, and another for social networks is a good idea," says Nath. One must also be wary of online pop-ups as these could contain malicious software for tricking users.

Mobile banking through wallets allows people to view transaction history and get an alert every time there is any activity. Keep a track of all the messages and notifications that you receive from your bank or wallet providers to be sure of all the transactions made. "There are millions of users who have poor awareness of security features in their devices. Attackers can easily target them to carry out frauds - these will be low value per individual, but the volume will be high. This will reduce the level of trust that people have in online transactions," says Rajat Mohanty, CEO, Paladion Networks.

It is a good practice to log out of mobile wallets, even if it may be inconvenient to key in the details again, so that you do not lose money in case the mobile is stolen. A phone without proper security and password is like an open purse - loaded with cash. Storing card details on websites is asking for trouble; taking a few extra seconds to feed in card details while paying online is a small price to pay for peace of mind.

"It is essential to increase awareness about these matters as many mobile wallet subscribers in India are first-time users. One can also look at adding the extra protection of app-level passwords using a password manager as an additional security measure," says Mohanty. There are a lot of other secondary-level locking apps that allow you to put these mobile wallet and banking apps in a separate folder with a password. "The government is supporting mobile wallets and their usage. Mobile wallets are somehow considered safer than plastic money like debit and credit cards. This is because the payment method is secure as financial information is transmitted between the bank and the application via a token (encryption) and not the consumer's account number," says Nath. The token is an encryption that is understood only by the application provider.

In Case of an Attack

The first and foremost thing to do is inform the payment wallet provider and get in touch with the bank concerned. Change your credentials immediately. Providing information to the wallet provider helps it investigate the fraud and preventing it from recurring. If a phone is stolen, the SIM card needs to be blocked first, and then the bank and the wallets service provider informed for blocking transactions. "For protection of critical IT infrastructure, where the attacks will be of advanced nature and hence difficult to detect, we are applying big data and machine learning methods; and for the mass market segment, to improve the security baseline, we have created a cloud-based technology that provides security with low cost and simplicity," says Mohanty.

If your phone is attacked by malware, do a factory reset. Visit a cyber crime cell and file a complaint. All banks and wallet companies have their own cybercrime units, and online and banking fraud cells. For example, cybercell@paytm.com is the cyber cell contact of Paytm.